CVE-2026-27138

Published: Mar 6, 2026

Modified: Mar 10, 2026

PUBLISHED

Description

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Vendor	Product	Versions
Go standard library	crypto/x509	affected `1.26.0-0 - < 1.26.1`

References

https://groups.google.com/g/golang-announce/c/EdhZqrQ98hk

https://go.dev/issue/77953

https://go.dev/cl/752183

https://pkg.go.dev/vuln/GO-2026-4600

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-27138

Description

Affected Products

References